http://nullcon.net/

QualysVulnerabilities, Statistics and… Malware ?

Wolfgang KandekCTO Qualys, Inc.

http://null.co.in/

http://nullcon.net/

Qualys Basics

• Founded to automate Vulnerability Assessments• Software as a Service (SaaS) with:

– Internet based shared scanners– Scanner Appliances for internal scanning– Webportal for data access

http://null.co.in/

http://nullcon.net/http://null.co.in/

VIP 2-factor or Client certificate strong authentication options

http://nullcon.net/http://null.co.in/

VIP 2-factor or Client certificate strong authentication options

http://nullcon.net/

Qualys Basics

• Founded to automate Vulnerability Assessments• Software as a Service (SaaS) with:

– Internet based shared scanners– Scanner Appliances for internal scanning– Webportal for data access

• 270 employees (140 in Engineering)• 5000+ customers

http://null.co.in/

6http://null.co.in/ http://nullcon.net/

IDC 2011 Report

http://null.co.in/ http://nullcon.net/

Frost & Sullivan 2010 Report

Frost & Sullivan: Vulnerability Management Market Leadership Report - Nov 2010

http://null.co.in/ http://nullcon.net/

http://nullcon.net/

Laws of Vulnerabilities

•2004 - 3M IPs scanned, 2M vulnerabilities• Half-life – 30 days• Prevalence – 50 % renewal annually• Persistence – unlimited for some• Exploitation – 80 % available with 60 days

• 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity

http://null.co.in/

Laws of Vulnerabilities

0

20

40

60

80

100

120

140

Overall Critical Vulnerabilities – 72M data points

Half-Life = 29.5 days

http://null.co.in/ http://nullcon.net/

http://nullcon.net/

Laws of Vulnerabilities

•2004 - 3M IPs scanned, 2M vulnerabilities• Half-life – 30 days• Prevalence – 50 % renewal annually• Persistence – unlimited for some• Exploitation – 80 % available with 60 days

• 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity

• Difference by OS and Application

http://null.co.in/

Laws of Vulnerabilities

12

0 7 14 21 28 35 42 49 56 63 70 77 84 91 98 105 112 119 126 133 140 147 154 161 168 1750

20

40

60

80

100

120 2009 mixed half-life

Days

Percent

http://null.co.in/ http://nullcon.net/

Laws of Vulnerabilities

0 16 32 48 64 80 96 1121281441601761922082242400

20

40

60

80

100

120

Microsoft OS vulnerabilities

Days

Percent

0 8 16 24 32 40 48 56 64 72 80 88 96 1041121200

20

40

60

80

100

120

Adobe Acrobat APSA09-1 & APSA09-02

Days

Percent

0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 600

20406080

100120

MS09-017 - Powerpoint - 5/12/2009

Days

Percent

13http://null.co.in/ http://nullcon.net/

http://nullcon.net/

New Services

• Policy Compliance– Configuration checks

• Password length, installed SW, access rights

– 20 technologies, 2000 controls• Web Application Scanning

– Web Application Catalog– Batch oriented production scanning

http://null.co.in/

http://nullcon.net/

New Research Activities

• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA• IronBee – Web Application Firewall• SSL Labs – World-wide SSL usage statistics• Dissect – Malware Exchange/Analysis Portal• HoneyNet Research Portal

http://null.co.in/

http://nullcon.net/

Blind Elephant Web App Fingerprinter

• Fingerprint common web applications by analyzing source code

• Blogs, Forums, Wikis, etc

http://null.co.in/

http://nullcon.net/

Blind Elephant Web App Fingerprinter

http://null.co.in/

http://nullcon.net/

Blind Elephant Web App Fingerprinter

http://null.co.in/

http://nullcon.net/

Blind Elephant Web App Fingerprinter

• Fingerprint common web applications by analyzing source code

• Blogs, Forums, Wikis, etc• Goals: accuracy, speed, low resource usage• Results

http://null.co.in/

http://nullcon.net/

Blind Elephant Web App Fingerprinter

• 1 Million “.com” domains

http://null.co.in/

http://nullcon.net/

Blind Elephant Web App Fingerprinter

http://null.co.in/

http://nullcon.net/

Blind Elephant Web App Fingerprinter

http://null.co.in/

http://nullcon.net/

Blind Elephant Web App Fingerprinter

• Fingerprint common web applications by analyzing source code

• Blogs, Forums, Wikis, etc• Goals: accuracy, speed, low resource usage• Results• Available at: blindelephant.sourceforge.net

http://null.co.in/

http://nullcon.net/

New Research Activities

• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection System

http://null.co.in/

Neptune Malware Detection System

• Visit/crawl web site with:– Virtualized Machine– Vulnerable, but instrumented OS– Vulnerable, but instrumented Browser– Configuration

• VMware• Internet Explorer 6 on Windows XP• Detours + Custom Hooks

• Log everything• Detect malicious intent early, avoid infection

25http://null.co.in/ http://nullcon.net/

Neptune Malware Detection System• Static Detection

– Analyze inputs for known exploit patterns, signature based– Pro: efficient and fast, signatures easily updated and

shared– Con: false positives, defeated by obfuscation, known

threats only• Behavioral Detection

– Monitor the browser process, check for anomalous activity– Pro: false positives low, immune to obfuscation and detect

new threats– Con: success required, false negatives, expensive

• Reputation and AV checks (pluggable: Google, Trend)26

http://null.co.in/ http://nullcon.net/

Neptune Malware Detection System

• UI version– Focus on end-user, website owner– Daily scheduled scans, alerts

27http://null.co.in/ http://nullcon.net/

Neptune Malware Detection System

• UI version– Focus on end-user, website owner– Daily scheduled scans, alerts

28http://null.co.in/ http://nullcon.net/

Neptune Malware Detection System

• UI version– Focus on end-user, website owner– Daily scheduled scans, alerts

• API version– Focus on bulk user, integration, research– Single URLs, Maps, or site with crawling

29http://null.co.in/ http://nullcon.net/

Neptune Malware Detection System

• UI version– Focus on end-user, website owner– Daily scheduled scans, alerts

• API version– Focus on bulk user, integration, research– Single URLs, Maps, or site with crawling

• Available: qualys.com/stopmalware• Contact: pthomas@qualys.com for API access

30http://null.co.in/ http://nullcon.net/

http://nullcon.net/

New Research Activities

• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA

http://null.co.in/

BrowserCheck

• https://browsercheck.qualys.com• Security check for Browsers and Plug-ins • End user focus, free and easy to use

http://null.co.in/ http://nullcon.net/

BrowserCheck

http://null.co.in/ http://nullcon.net/

BrowserCheck

• https://browsercheck.qualys.com• Security check for Browsers and Plug-ins • End user focus, free and easy to use• 200,000 visits – Jul 2010 / Jan 2011• IE, Firefox, Safari, Chrome, Opera• Windows, Mac OS X and Linux

http://null.co.in/ http://nullcon.net/

BrowserCheck

http://null.co.in/ http://nullcon.net/

BrowserCheck Stats

36http://null.co.in/ http://nullcon.net/

BrowserCheck Stats

http://null.co.in/ http://nullcon.net/

BrowserCheck Stats

http://null.co.in/ http://nullcon.net/

BrowserCheck Stats

http://null.co.in/ http://nullcon.net/

BrowserCheck Stats

http://null.co.in/ http://nullcon.net/

BrowserCheck Stats

• Operating System: – Windows XP – 47 %– Windows 7 – 32 %

• Browser: – IE 8 – 36 %– Firefox 3.6 – 34 %

• Plug-in: ?• Country:

http://null.co.in/ http://nullcon.net/

BrowserCheck Stats

http://null.co.in/ http://nullcon.net/

BrowserCheck Stats

http://null.co.in/ http://nullcon.net/

http://nullcon.net/

New Research Activities

• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA• IronBee – Web Application Firewall

http://null.co.in/

Ironbee – Web App Firewall

• Open source effort led by Ivan Ristic– Author of mod_security– WAF technology renewed– Focus on accuracy and usability– WAS and MDS (neptune) integration

• Available at: www.ironbee.com

• SSL Labs – SSL usage statistics V2 is coming– http://ssllabs.com

http://null.co.in/ http://nullcon.net/

http://nullcon.net/

New Research Activities

• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA• IronBee – Web Application Firewall• SSL Labs – World-wide SSL usage statistics• Dissect – Malware Exchange/Analysis Portal

http://null.co.in/

Dissect – Malware portal

• Led by Rodrigo Branco - www.kernelhacking.com– Team in Brazil, Malware and Vulnerability Research

• Malware exchange system up and running• Malware analysis in alpha

– Static analysis– Runtime analysis on virtual and real machines

• Integration with Neptune MDS coming in • Community oriented effort• Contact: rbranco@qualys.com

http://null.co.in/ http://nullcon.net/

http://nullcon.net/

New Research Activities

• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA• IronBee – Web Application Firewall• SSL Labs – World-wide SSL usage statistics• Dissect – Malware Exchange/Analysis Portal• HoneyNet Research Portal

http://null.co.in/

Honeynet

• Nemean Networks acquisition• University of Wisconsin research team

– Paul Barford - http://pages.cs.wisc.edu/~pb/publications.html

• Honeynet/Signature/IDS system• Global Honeynet Effort• Centralized Signature generation – open-source• Snort/Suricata plug-ins – open-source

http://nullcon.net/http://null.co.in/

http://nullcon.net/

Contacts

Wolfgang Kandek – wkandek@qualys.comAmit Deshmukh – adeshmukh@qualys.com

http://null.co.in/